Please check that the idea of this kind of authentication is to encrypt the ticket, instead of a plain session ID. If cookie is not available, having it on URI is a good idea. (Then one needs to have all links in a relative manner; see the Cookbook). Cookie itself does not make a secure session ID or a secure ticket. It is the encryption that does.
Peter Bi ----- Original Message ----- From: "Jean-Michel Hiver" <[EMAIL PROTECTED]> To: "Randal L. Schwartz" <[EMAIL PROTECTED]> Cc: "Jean-Michel Hiver" <[EMAIL PROTECTED]>; "Andrew Moore" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 30, 2002 10:07 AM Subject: Re: Optional HTTP Authentication ? > > What? The EU is going to make cookies *illegal*? I highly doubt > > this. > > Sorry, I am neither the lawyer nor the client, so I can't tell you... > I know it's really stupid, but I am going to have to deal without > cookies. > > > Jean-Michel> * For usability reasons encoding session IDs on URIs would be really > > Jean-Michel> bad... users needs to be able to 'hack' the URIs without f***ing their > > Jean-Michel> sessions! > > > > Why is a user "hacking" their URLs? > > I can answer that. http://www.useit.com/alertbox/990321.html > > <cite> > * a domain name that is easy to remember and easy to spell > * short URLs > * easy-to-type URLs > * URLs that visualize the site structure > * URLs that are "hackable" to allow users to move to higher levels of > the information architecture by hacking off the end of the URL > * persistent URLs that don't change > </cite> > > i.e. http://bigmegamarket.com/grocery/fruits/bananas/ is cool, > http://bigmegamarket.com/index.pl?id=231223412&sid=56765454151 is not. > > Again it doesn't always make implementation easy :-/ > > > Jean-Michel> Therefore I have to use HTTP authentication... > > > > Even though the user/password is transmitted *in the clear* on > > *every single hit*, because you can't just use a session identifier? > > This is so very wrong from a security perspective. > > I have to agree with you on that. Cookies are probably far better than > HTTP authentication. But I cannot use cookies. Period. I wish I could, > because this was what I did in the first place and it was working fine! > > Cheers, > -- > IT'S TIME FOR A DIFFERENT KIND OF WEB > ================================================================ > Jean-Michel Hiver - Software Director > [EMAIL PROTECTED] > +44 (0)114 255 8097 > ================================================================ > VISIT HTTP://WWW.MKDOC.COM